It's admiring how quickly they fix these. Kudos to the Rust team. But I worry about older software compiled with an older version of Rust which does not have this fixed.
This is a weird comment, especially on this fix. The bug was reported back in 2018.
From the linked blog post:
We also want to thank Florian Weimer for reviewing the UNIX-like fix and for
reporting the same issue back in 2018, even though the Security Response WG
didn't realize the severity of the issue at the time.
Failing to recognize it as such is not a hugely different kind of failure. Symlink attacks have been known about for a long time. I'm not castigating the devs/teams here (I don't even think the underlying security risk is that high) but any credit for speedy response should carry caaqil's significant caveat.
> But I worry about older software compiled with an older version of Rust which does not have this fixed
That's true for everything, right? Anyone running older versions of Java, Python, Ruby, Go, C++ (gcc/llvm), etc. that don't update all are exposed to unpatched security vulnerabilities, in both their 3P library dependencies, stdlib, and compilers/interpreters.
I don't see how Rust can force people to update any more than any other language.
Maybe by releasing often (every 6 weeks or out of band for bug fixes like this), they make it easier to use a current version of the compiler, in comparison to the old Java release cycle of multiple years.
Also testing the compiler against the whole ecosystem on crates.io before releasing a new version helps building trust in the backwards compatibility of new compiler versions.
So they are doing something to establish a culture where updating your compiler regularly is encouraged. I don't have actual numbers and I don't know how enterprise Rust shops handle their compiler versions, but they are doing things to encourage (not force) users to keep their compilers up to date.
Virtually every other language has a stable ABI and dynamically links the standard library, so if you have a vulnerability in the standard library, update it and you're good to go. With Rust, you need to also recompile every program and other library on the system that uses std, which is likely all of them.
Golang, which is most used system language in the last few years, also bundles stdlib.
Additionally, quite a lot of software seems to be distributed in self-contained format; for example many Java apps (even those intended to be installed on a server) come bundled with JRE, and Linux GUI apps and games are usually distributed in Flatpak/Snap/AppImage.
Of course let's not forget about distributing software as Docker images, which is probably the most common way software is installed in many server environments.
This is a weird comment, especially on this fix. The bug was reported back in 2018. From the linked blog post:
See: https://github.com/rust-lang/rust/issues/48504